What Is Spam and How to Protect Against It?

More than 333 billion emails will criss-cross people’s inboxes every day this year,[1] and a big chunk of them will be junk, aka email spam. Estimates about how much spam accounts for all emails sent range from half to more than three-quarters of incoming mail.[2] It’s tricky to nail down the exact amount because much of these messages go into spam filters unread. In the marketing world, if 2.6% of messages are opened, that’s considered a success. In the cybersecurity world, that could lead to a nightmare.

Loosely defined, spam is unsolicited email typically sent in bulk. This covers a multitude of emails, from dating scams to pleas for money, to legitimate merchant offers. Parsing through the sheer volume of spam is also a time-waster: One study estimates that full-time workers spend 35 minutes daily dealing with irrelevant emails in their crowded inboxes.[3] 

Eggs, Bacon, and Spam

The first example of spam is believed to have been a sales presentation emailed in 1978 by a marketing manager at a computer company to a few hundred users of ARPANET, an ancestor of the World Wide Web.[4] The message worked in generating sales. The name “spam” came later, borrowed from a Monty Python TV skit mocking the ubiquity of the canned meat. 

The volume of spam continues to grow, especially as new channels for delivering messages, such as mobile phones and social media, have emerged. Spammers also take advantage of news and events. For example, during the first 100 days of the COVID-19 pandemic, Mimecast Threat Intelligence spotted a 26% overall rise in spam alongside a 33% jump in phishing emails. The related increases make sense, since spam is often the vehicle for phishing attacks – whereby bad actors pose as legitimate businesses to trick recipients – and the pivot to remote work during lockdown was a prime opportunity for fraudsters. 

Many enterprises are now armed with spam filters, powered by lists of approved and unapproved email senders, to help extract the pesky junk from real email. But as Mimecast reported in its latest The State of Email Security Report, 96% of companies have been attacked via email, and fraudsters are not letting up. All it takes is one suspect message getting through to wreak havoc. 

Types of Spam              

Spam comes in many forms: 

• Email spam: The “original recipe” spam is a bulk email, sometimes personalized with “Dear [Name],” but often just a message with a kicky subject line or attractive offer, like “Lower your interest rates!” or “Congratulations! You’ve won a prize!” Spam can be legitimate solicitations or contain all sorts of malicious content. 
• Text spam: Spammers have taken to SMS as email filters have become more proficient. Spam texts often include a link, directing a person to an app or website. These, too, can be benign, offering information or soliciting donations, but they also can be a vehicle for planting malware and for brand impersonation attacks. Some spammers also use direct messaging platforms, such as Facebook Messenger, WhatsApp, and Snapchat.
• Social media spam: Spammers are taking advantage of hashtags and keywords to blast messages to users of social media platforms, with the help of bots that spot keywords and direct messages to related accounts. This can result in an “angler phishing” attack, whereby scammers impersonate customer-service social media accounts and intercept communications with customers. 
• Voice spam: Voice spam takes advantage of voice-response systems by sending recorded messages to people’s phones and asking for a response verbally or via the phone keypad. Not only are these used in co-called “vishing” attacks, but they can help fraudsters obtain a voice print to circumvent biometric authentication in a subsequent breach. 

How to Detect Spam  

Like many aspects of cybersecurity, awareness is the first line of defense to prevent falling victim to or merely wasting time dealing with spam that evades filters and firewalls. There are many ways to detect spam, and the lessons learned from battling email spam apply to almost any kind: 

• Double-check the sender: An email address made up of random letters and numbers is a dead giveaway of a bulk sender. Spam emails may display as coming from one sender, but in most email platforms, hovering or clicking over the sender’s name will reveal the true origin address.  
• Check the domain: Is the email coming from a company address or a public email service like Gmail or Outlook? Is it coming from the right domain? For example, if that email with COVID-19 treatment information doesn’t come from a .gov, .edu, or .org domain, err on the assumption that it’s spam. Spammers and fraudsters will often register look-alike domains similar to well-known companies, so check for small misspellings (e.g., Netfllx instead of Netflix) or look-alike numbers swapped for characters, like the number 0 for the letter O.
• Pay attention to the subject line: Spammers rely on users taking the bait they lay out in the subject line. Be wary of words and phrases like “opportunity”, “eliminate debt”, and, yes, “this isn’t spam”. A long subject line with wild promises or dire warnings (about a tax audit, for example) or demanding immediate attention are also spam tip-offs. Take a breath before you do anything; scammers count on the reader being flustered enough to click on a link in a rush.

How to Prevent Spam 

Luckily, modern technology offers multiple spam defenses. Those bolstered by artificial intelligence and machine learning are continuously improving detection, too. “Sorry, it went into my spam filter” could be a moot excuse soon. 

A few best practices can help: 

• Improve spam filters and antivirus software: Most email platforms now routinely screen for spam, but adding another layer at the network level improves protection. A cloud-based spam filter solution can shield an organization, without the need to install software or hardware, and it will keep security pros’ screens up-to-date with all the latest threat intelligence. 
• Improve spam reporting: Many filters now learn from the email traffic coming through, so encouraging staff to flag spam that makes it through to their primary inboxes can help improve the company’s banned list. Also, asking employees to report any addresses that were incorrectly filtered will help the system learn. 
• Block automatic downloads: Blocking the automatic download of pictures or links in emails prevents spammers from verifying that they’ve contacted a valid address, which they can subsequently sell to other spammers. Blocking downloads is also a good defense against infection from malicious malware that could be lurking in messages. 
• Turn off email read and delivery receipts: Receipts can serve the same function as automatic downloads in confirming a valid address. Turn them off as the default on the company email. 

The Bottom Line

Spam email is a hassle that causes lost productivity and creates cybersecurity risks in organizations of all sizes. Spotting and stopping junk email can improve workflows and security, and new technologies are making those defenses stronger, smarter, and less intrusive to users. Find out more about spam protection from Mimecast. 

[1] Email Statistics Report, 2021-2025, The Radicati Group

[2] Spam Statistics and Facts, SpamLaws.com 

[3] “How to Spend Less Time on Email Every Day,” Harvard Business Review, January 22, 2019

[4] “40 years on from the first spam email, what have we learned? Here are 5 things you should know about junk mail,” World Economic Forum